Gatekeeper Approved Apps

Overview

Evidence: Gatekeeper Approved Apps Description: Collect Gatekeeper apps allowed to run Category: System Platform: macos Short Name: gatekapp Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Gatekeeper approved apps list shows binaries allowed to run by Gatekeeper exceptions. This data is essential for understanding application allow-listing and detecting unauthorized approvals.

Data Collected

This collector gathers structured data about gatekeeper approved apps.

Gatekeeper Approved Apps Data

Field

Description

Example

Path

Path

Example value

Requirement

Requirement

Example value

CTime

C Time

123

MTime

M Time

123

LastChangeTime

Last Change Time

2023-10-15 14:30:25+03:00

ModificationTime

Modification Time

2023-10-15 14:30:25+03:00

Collection Method

This collector queries the gatekeeper_approved_apps table via osquery and records results into gatekeeper_apps.

Forensic Value

This evidence is crucial for forensic investigations as it highlights exceptions and approvals that may indicate policy bypass or persistence via whitelisted binaries.

PreviousParse File System (FS) Events NextGatekeeper

Last updated 2 months ago

Was this helpful?

hashtagOverview

hashtagBackground

hashtagData Collected

hashtagGatekeeper Approved Apps Data

hashtagCollection Method

hashtagForensic Value